Orchestration: the future of fraud prevention

Season 1 Episode 1


Juan José Ríos (host)

In an increasingly hyper-connected financial world with a high dynamism in digital channels, banking leads the financial industry in reaching more customers from all segments where banking is increasingly something you do and not a place you go. But in the midst of all this dynamism there are also major threats to our digital financial world. This is where fraud prevention and security units face major challenges in distinguishing their customers from criminals with increasingly sophisticated mechanisms. As banking grows in channels, so do the threats, and so do the areas of control. This leads to an increasingly complex and dispersed ecosystem that slows down a holistic view of customer risk and therefore creates a bad experience and jeopardises the security of the customer transaction that can result in financial loss (for the customer and our institution), as well as reputational damage that affects the institution's brand.

Hello, how are you? I'm Juan José Ríos. Welcome to Secure Financial World, the Monitor Plus podcast.

This series aims to grab your attention and interest, and clear up doubts about the financial world, but a safe financial world. Today we start with Marta Leuro, VP of Customer Success and Consulting, a fraud prevention expert with more than 25 years of experience in the financial sector. She is a specialist in operational means of payment processes, risk management, regulatory compliance and implementation of fraud prevention and management models, and risk management to face digital transformation, among others. She has been a speaker at high-level events sharing best practices internationally, as well as a consultant seeking to align strategy, processes and people against financial crime. She was a core member of the security committees of visa banking association of Colombia and CELAES. Marta incidentally argues that customer-centric financial anti-crime controlsareanenabler of digitisation.

Today I am joined on this occasion by Giovanni Castellanos, commercial vice-president of Plus TI. How are you doing?

Giovanni Castellanos:

How are you, Juan José? How are you, Marta? How are you? How are things in Colombia?

Martha Leuro: 

Good morning, all very well here in Colombia, it is a pleasure for me to accompany you for a while today with great expectation with this new experience of communicating through a podcast. I hope that through our conversation we can contribute new ideas. Thank you very much for the invitation.

Juan José Ríos:

Martha, as always it is a pleasure, it is good that you join us to clear up many doubts and to have more clarity in this secure financial world. I will begin Giovanni by asking you: What is orchestration?

Giovanni Castellanos:

Thank you, Juan José. Nowadays we are really starting to talk a lot about orchestration,

The question is precisely that of orchestration in financial crime prevention, fraud prevention and security issues. Based on the word orchestration, the different systems that are in place in the institutions today. One of the most important challenges institutions face today is that due to the daily growth of digital, face-to-face and non-face channels, banking continues to grow dynamically. But at the same time as it grows there is also an important challenge, and that is that each time I have to control these channels, just as before banks had to take care of the bank branch, but it was the only one that existed. So many years ago what the banks thought was that they had to protect the branch, put security, video surveillance cameras, put sensors, delayed vaults and these kinds of issues. But they're worried about the physical world when today when you talk about digital channels, new channels and emerging channels and a lot of channels that we don't even think about today that are going to be around soon, like the internet of things, where we're going to be able to ask Alexa or Siri for a statement of account. A lot of that kind of thing is a new channel, it's a new form of interaction and the problem is that I grow in channels as an institution, but I also have to control and take care of that channel, give it security. That is part of my challenge as a financial institution.

The problem I have is that if I start to grow in islands of fraud prevention, I start to have a tune that is totally out of tune and for that not to happen I must orchestrate the different security or prevention control units (depending on what they are called) in a general way, so that I can have a holistic view of the customer, so that I can know that my customer is the same one that is transacting in a face-to-face channel or in a non-face-to-face channel, such as a digital channel. To avoid having different islands of information or islands of fraud prevention, I need to orchestrate these control units to have a holistic view and no matter which system alerts me to a potential threat, I must have control in a systematic and comprehensive way with that view that allows me to know who my customer is and give them a consistent experience regardless of the channel they are using. That is orchestration: to be able to have all my control systems properly unified and controlled by a central system that allows me or avoids having islands of control, but to have everything properly controlled in a single source. That is, broadly speaking, what orchestration is all about.

Juan José Ríos:

So having an automated solution in place, a proper fraud prevention policy is a competitive advantage for an entity. There is one indisputable maxim that the leaders of large corporations know very well: to increase profit in a business. This can be done in two ways: either by impacting an increase in revenue or a reduction in costs. Let's start with the positive impact focused on increasing revenue: the more satisfied an entity's customers are, the more predisposed they will be to purchase more products more frequently, for example they will make use of the services in a bank, a customer who trusts an entity will purchase more products, more bank accounts, credit cards, debit cards, investment fund deposits, loans, etc.

Martha, fraud is an increasingly important financial risk for banks, and fraud is costing companies money and its consequences are felt by both customers and banks themselves. Fraud costs companies money and its consequences are suffered by both customers and the institution itself. What are the most relevant threats for today's banking customers?

Marta Leuro:

I think the main threat to banking today is myself. Why is it myself? Because really, just as with this health crisis around the world, self-care is what is going to help me not to catch myself. In the case of banking, self-care is what will help me keep our assets, personal data and credentials safe and secure.

It's very sad, we really go out on a day-to-day basis and we have very good physical security: we double-lock our house, we have an alarm, we protect our personal items from being stolen, but when we enter the internet world, we forget that we are going out into an insecure world. That's really it; we don't have that awareness and that education. I think the main threat, and not just in dealing with banking issues but in general, is the self-care or the hygiene that I myself have to have with my data and my personal stuff. Obviously followed by the theft of personal information and credentials, criminals look for ways to do that using different strategies using the same technology that I use to access banking, that banking uses to offer products and services remotely, that allow us now to be isolated, confined and secure because we are in our homes. It is that same technology that is used by banking and by me that is also used by criminals to trick and steal from us; they use that theft of personal information and credentials. They do it a lot through security strategies, through social engineering, which is nothing more than tricking us human beings, who click on every link we see through WhatsApp messages, SMS, even phone calls.

It is surprising how we give out information that criminals then use to get access to our accounts, including looting our credit card and investment credit card quotas that we have available. Moreover, this threat is not only to see how they plunder my accounts, but also when for some reason I did not manage to hand over my credentials because I have them protected or because the criminal could not get through these traps, they may find a video or confidential information that could damage my personal reputation, or something that for me may be private and that I do not want to be known in order to blackmail me; they have to monetise somehow the investment they have made, because these criminal gangs invest in information, in technologies, they invest in developments to be able to plunder us and cheat us more and more, so if they don't get the money in the accounts, they simply blackmail us in order to monetise their investments and get money.

Of course, another threat is online fraud, which, as a result of information theft, allows them to monetise by looting accounts.

In addition, identity theft, which is not even a new threat. He considered that the way we do banking today, because of everything we are going through and because that is where financial institutions are heading, makes impersonation a little easier for criminals, because they no longer have to present an identity document with certain characteristics, they do not need to change photos or facial features, or alter aspects that allow them to look more like the person they are impersonating. They now operate during onboarding through technology, which gives them both anonymity and impunity. It is very common and has become a greater threat to us.

I consider these to be the most relevant and strongest threats now, although there are many others.

Juan José Ríos:

Thank you very much, Martha.

The second line of action to increase a company's profitability focuses on actions that have an impact on cost reduction and as quoted in Forbes magazine "From a business standpoint, fraud represents a financial cost that if left unchecked can increase and seriously damage an entity's bottom line. Controlling the cost of fraud allows an entity to reduce its overall costs and be able to offer the most competitive products".

Giovanni, what is the biggest challenge for banks in adopting new technologies and what is your contribution as a company that fights financial crime?

Giovanni Castellanos:

Interestingly, we have realised that we already have a lot of experience in this area. The company, Plus Technologies, was founded in 2003 and our product had already been on the market for a couple of years and now we have 20 years of experience, which has allowed us to learn a lot along the way.

Interestingly, there are increasingly more specialised players in the fraud prevention ecosystem, and in fact one of the recommendations of Gartner, a global benchmark for technology analytics, has recommended an interesting framework it calls "multi-layered protection" of five states, where security starts from the device, moves to monitoring through navigation, then into the channel, and finally a multi-channel correlation analysis of the different sources of information to enable that holistic view and exploitation of data at the Big Data level.

I mention this because each of these security layer segments has brought many vendors, many solutions to the market. That's not a bad thing because in a way we have specialised, and now our contribution as a company is that:

First, we are one of the first companies to do this and we have a broad leadership in Latin America (about 37% of the 250 largest banks in Latin America use our products). So we capitalise on that experience to know what is best for our clients. One of the things we have achieved is to be present in all these layers to support institutions to have a comprehensive solution. In fact, one of Gartner's analyses is that financial institutions should have as few providers as possible because as they grow in providers, the challenge of being able to control and have a holistic control grows; today the customer, regardless of whether he or she transacts in one channel or another, wants to be treated in the same way. Previously, banks have invested a lot in CRMs and business proposals to be able to have that holistic view of the customer and it has cost them a lot because banks have also grown into islands of information and there are business units that compete for the same customer. So, what is happening in fraud is that the same scenario is being replicated. Our commercial proposal to the industry is to be able to have a consolidated vision of all this, to integrate and be able to be in all these channels, because in the end, if I have a house and I want to give security to my house, I protect the windows or doors, I place security sensors; I can do many things, but I cannot leave my house without balconies, for example. I need to have comprehensive protection. So our commercial proposal to the financial industry is to have that centralised vision that allows us to integrate third parties, because obviously we know that we live in a world with different solutions, and we can integrate them, but if that is not the case, we can use our platform of the different channels and products, in the different business units of the institution to have that centralised vision. This has an impact on cost optimisation because instead of having several analysts, I can centralise in fewer analysts, I can interact more with the client and start to reduce my costs significantly. One of the most valuable things in all this is clearly to contribute to the reduction of loss, but I also have a superior experience with a customer because the customer has less and less friction with the institution in terms of fraud prevention. This is our proposition to the market: to provide a solution that integrates third parties, and if not, to be able to use our platform to be able to be in the five layers of protection that industry experts suggest.

Juan José Ríos:

Thank you, Giovanni . Then proper fraud management can become a good opportunity to show your customers how well an entity is performing. Let's be clear: all companies can be potential victims of various types of fraud. An entity that works with and uses Plus Technologies' services to make its customers see it as a resolute, proactive entity that cares about its customers. In that sense Martha, what are the big challenges in the digital transformation for prevention units?

Martha Leuro:

I'm going to define it as the time between product release versus the sky of the gaps identified in the risk assessment because you could even say that up until 2019 they were trying to keep both issues at the same pace. Obviously we had 8 months, 10 months or a year of programming for a technology project, for a product for mobile or web banking. The banks had all that time to determine what the risk assessment was, where and what controls should be put in place to mitigate them, but with the speed, activity and dynamism that this has taken on, the objective of the companies (and even for survival) is definitely to start taking out and moving the products that they did not yet have in digital banking or on the web: they have to go out and they have to go out now. This has not allowed them to make progress in closing those expenses that were identified to mitigate risks, at the same time as they are taking out products and services. I believe that the dynamics of today's situation means that the business areas have to set an extremely accelerated pace, and that all the efforts of the financial institutions are focused on these types of needs, and that the areas of prevention, cybersecurity, information security risk management are being left behind because, in the end, if I don't come out with the product, I'm going to have problems. I think that is the biggest challenge, Juan José.

Giovanni Castellanos

Martha, you mention interesting things and one of the things that makes me think is this: you as an expert and having been in that chair, what do you think the conversation that the fraud prevention officer should have to talk about orchestration within the organisation should be?

Martha Leuro:

I think there are two stages to be defined here. In the first, the prevention officer must identify the key information, the system, the platform or the area that generates the information he requires; what are the benefits, quantify the savings he could make in fraud if he had all the information and also identify the benefits for the other area, and if possible, even join forces with these other areas to give the conversation. Surely the question many will ask is: but how do I do that?

Normally in the analysis processes carried out by the bank and the investigation processes when we have been asked to do so, we review how the fraud took place and what the offender's pattern is, what pattern he is following; and when we start to review this, which is like reverse engineering, we start to identify that before the fraud took place there was an information leak, an official who suddenly changed the data, or there was a failed attempt that did not comply with all the bank's security policies, or that it already came from a type of network that is considered high risk. Effectively with that information, one can conclude that it was definitely a fraud by obtaining the customer's credentials and that it was not the customer who withdrew the money. When I start to identify these types of issues, which I do on a daily basis, I fill myself with all this type of information and I present the organisation with the possibility of taking advantage of the information, because I am not going to buy more tools nor do I need information that I don't even know exists to be able to do it, but it is the information that has already been available with the same information that I identify as a fraud in favour of the customer because it identifies points 1, 2 and 3. That is the same information that I require to start coming to my orchestration and it is to start making synergies, to demonstrate to the entity the cost benefit of being able to bring that information, and of course another thing I would tell them is that we are not going to bring all the information, but it is key information and very likely you could sell the project.

Juan José Ríos:

Ok, Martha, specifically in the banking sector the number of customer complaints has been increasing year after year. According to Condusef data, about 73% of credit card claims are due to fraud. Giovanni, how does an orchestration process start?

Giovanni Castellanos:

Juan José it is an interesting topic and I will use words that Marta uses frequently: early wins. Fraud prevention in institutions is really not easy because fraud prevention units are seen as a cost and not as an ally in this process. Today's customers, those of us who are users of any financial institution, look first for the security of our transaction, that what we are doing is really safe. In this environment where the customer is the most important thing and security must be customer centric, fraud prevention units have to start looking for those channel areas that have higher levels of risk exposure based on risk levels.

Clearly everyone thinks about digital banking, which is the most difficult because we are entering this world in a somewhat accelerated way, today because of the covid-19 issue, but a few years ago when everyone started to have a mobile device. So this situation clearly leads us to think that the biggest risk today is precisely in the digital channels. So what do prevention units have to do and how do they start?

With these early victories we have to look at where we are going to deliver results more quickly. One of the valuable things we have done with some clients is to disintegrate Visa's fraud system. They have a series of alerts and risk score messages that we have managed to integrate into the platform and this has produced interesting results for the entire card world, such as means of payment.

What have we done? We have not tried to integrate everything because it is very difficult; there are many participants within the banking ecosystem and it is difficult to socialise with them because the business priorities are going to be those that predominate in the day-to-day life of the financial institution, but once we have identified those channels with the highest risk, we can integrate them one at a time; we cannot try to integrate them all at the same time or get into a very ambitious process of orchestration because in the end that will be a disastrous result. Those who try to do that do very badly because what happens is that, like many things in life, is to focus on those channels that are most exposed to risk and from which you can have access to information that can be integrated. So I am always going to focus on what is most at risk.

Clearly what has a higher risk will also have a level of difficulty in its integration, but it will also translate into an early victory to be able to integrate a system, a channel, an authentication mechanism or a biometric behaviour mechanism; that is what I should focus on, to take one thing at a time and start integrating it with my fraud prevention platform, and not try to integrate cards, to integrate ATM channels, to integrate internet banking, etc. You have to focus on the ones that have the highest risk exposure and those are the ones that I have to integrate, that will allow me to have early victories and be able to gain credibility in the institution and fight for resources because when I demonstrate that I am achieving those early victories and that I am giving a good result, they will give me more budget to go for another channel, for another integration, and little by little I can start to do that integration. The vision should never be "okay, I have 5 control units and all 5 should be included"; my metrics and my main focus should always be on those that have the greatest exposure to risk and, as a second point of evaluation, I should determine which ones would be technologically easier to integrate; those that provide integration APIs, that provide technologies such as Json, XML, etc. Those are going to allow me to be easier to integrate because their level of complexity is much lower than proprietary systems that handle their own code or their own integration format. Although today I have to tell you Juan José that actually most systems have moved towards standards like Json, for example XML, and that makes it easier in a way.

Today at least I would say that most of us are in that, which has drastically reduced the integration processes. So, which is the channel or the highest risk unit that has the most exposure? And then there must be the second criterion, which is which is the easiest to integrate, because clearly I have to fight for resources with technology and so on. Those would be the criteria to get started: early wins.

Juan José Ríos:

Martha, how did you identify when I need an orchestrator to strengthen the fraud management model?

Martha Leuro:

That's a very good question. I think the model itself will tell you as you go through the fraud results, if the level of detection is very high, but you still want to keep reducing fraud or some elements that you can't stop. The model itself kind of tells you what information is missing, or when you reverse engineer the investigation process and you realise that there is a lot of information outside of what you are getting, what you have at the moment in Monitor Plus®, what you are missing, it kind of speaks and shows you what information you need or what is missing. Although I think this should be there to strengthen the fraud strategy and to have better results and less friction for the customer. However, when you have not had the same system, it kind of tells you that it is falling short and asks for more and you feel it like when you drive a mechanical car and you feel that it needs more revolutions. The model tells you that it lacks information and asks for more, it talks to you. Definitely yes. Look, the most vulnerable moment for products is the moment of release, even because of what I mentioned earlier.

Giovanni Castellanos:

One interesting idea you mention, and now that we are all talking about digitalisation or digital transformation, do you think that institutions should acquire a fraud management tool initially, and include orchestration in the process at once?

Martha Leuro: 

Definitely, yes. The most vulnerable moment for products is the moment of exit, also because of what I mentioned earlier. Today, and especially because of the times we are living in 2020, the imbalance between the moment of exit and the closing of this risk gap that may have been identified is what criminals take advantage of the most to attack institutions and customers. The ideal thing really is that knowing the business, where it is going, what they are and what is coming, what are the products that we are going to bring out in the bank, finally the best I can do is that route as well and implement and definitely include a tool that helps us to face this crisis, need a tool that helps us to face the threats of digital banking and that of course helps us to protect the customer, the bank, the shareholders,

Plus IT tools focus on minimising losses, maximising operational efficiency, and of course, improving the user experience. That's the ideal world, if only we could do it and do it all the time.

Juan José Ríos:

All right, so Giovanni, closing this podcast: why carry out an orchestration process at all?

Giovanni Castellanos:

Marta mentioned something interesting and it is a maxim within the company. The three most important objectives for us in providing a fraud prevention platform is, first to avoid loss, that's why they buy such a tool. Secondly, it is the search for operational efficiency, I have to be very efficient because you mentioned at the beginning the cost issue is very sensitive. I cannot write tools and more tools without growing in personnel because those are liabilities and I am growing in physical area. The human resource is the most difficult to manage, so operational efficiency is key in this process. And lastly, and increasingly important, is the customer experience. There are three important elements, one is to reduce loss, another is to be operationally efficient, and number three, that the customer has an important experience, that it is a transparent, satisfactory and safe experience.

So I have to start a process of orchestration with those objectives. To reduce loss, and the way to reduce loss is if I have my systems orchestrated, synchronised, directed by an orchestra conductor, clearly I will have a better chance of reducing loss because instead of having two systems trying to defend one channel and each one on its own (because many times they are even different units), In other words, I still find banks in Latin America that have a card fraud prevention unit, a documentary fraud prevention unit, they call those that are cheques and credit application issues, so there are scattered units, which means that they undoubtedly have tools at their disposal. But it turns out that it is not the same person who writes you a cheque or who makes an online transfer and who buys from you with your credit card, it is the same customer. So the customer expects that no matter what payment method or channel he is using, he will have a transparent and secure experience. So instead of having different units looking after the customer, I start centralising.

That means that I have that vision, like I have to have a spyglass and I can see the forest. Number 2, clearly I start to be more efficient operationally because I start to have less staff, because I no longer give the intelligence to my people but I give it to my tool, which has to be the one that has the capacity to analyse events in different channels, for example a query on the platform of a recurring customer, and it turns out that followed by that query there is a transaction in the internet channel, either by mobile banking or by web banking, with an IP that is not usual, for example, then I start correlating two different things, but I only have that if I have those two centralised units. Butif what I have is somebody who monitors what employees do, and a cybersecurity unit that looks at what happens from IP threats and TOR networks on the other side, clearly I have two different things and two different efforts that are probably going to end up in fraud. So, I am being operationally inefficient (which I am looking to reduce as a second element) and the most important, and I say most important because the issue of your customer legacy has become everybody the customer experience everybody talks about frictionless they want their customers to have the least amount of friction with the institution, but what happens is that deep down what I want is for my customer to speak well of my bank.

They say that the most valuable question when it comes to recommending a brand, product or service is: Would you recommend your institution? I have to get my clients to recommend my institution, and that is very valuable nowadays. Today with this information revolution that we have, where everything is contextual, where everything is already going to be sensors, where people talk in a structured way through their social networks; that's where word of mouth is today, it's not that I physically tell you "Juan José, you used the bank". That's because I go into my social network and I see people who are "my friends" and I don't even know, recommending me or talking bad about a bank because they had a fraud. That's what banks today don't want: that people talk bad about them, because in the end there is an implicit reputational risk and we know today that the brand weighs a lot.

If I think about the brand of a financial institution, I am going to look for a financial institution that gives me better channels, better experience and gives me security. So I would say that to conclude the process, the orchestration should seek those three elements: reduce loss, maximise operational efficiency and, most importantly, that my customer feels that his operations are secure and that he can communicate this and say "my bank really gives me security". That is what the work units should be looking for at the end of the day.

Juan José Ríos:

Very good, friends. In conclusion, it stands out that having an automated solution and an adequate fraud prevention policy is a competitive advantage for an entity. Giovanni and Martha, thank you very much for joining us today to talk about this topic and of course we invite you to continue with us enjoying these podcasts that we are preparing for all of you every day.

This is Secure Financial World, the Monitor Plus podcast. I'm Juan José Ríos. See you next time.